300,000 routers hijacked, modified in malicious attack

Another malicious router attack has been uncovered by researchers, which so far has affected over 300,000 home and small-office routers from manufacturers including D-Link, TP-Link, Micronet and Tenda. Hackers have successfully compromised the routers in question and changed DNS server settings, which can lead to serious consequences.

According to Team Cymru, who published details of the attack on Monday, a variety of techniques have been used to access and modify the settings of the routers in question. Specifically, hackers may have used a cross-site request forgery (CSRF) attack to automatically change DNS settings after web interface passwords are set to blank. Another vulnerability gives attackers access to configuration files through an unauthenticated URL.

Attacks such as this are only possible thanks to vulnerabilities in the router's firmware. Team Cymru reports that most users affected by the attack reside in Vietnam, India and Italy - countries where ISPs likely supply affected routers - although some United States users were also hit.

Any routers compromised by the hackers in question have had their DNS servers changed to 5.45.75.11 and 5.45.75.36, which opens the doors to malicious activity. For example, the attackers could direct online banking traffic to booby-trapped websites designed to steal credentials, or malicious software could be unwittingly downloaded.

Team Cymru notes similarities between this attack and another recent attack targeting Polish customers, when hackers modified DNS settings to redirect users to false websites where banking details were stolen. However due to the scale of this attack, Team Cymru believes attackers had a "more traditional criminal intent" to perform activities "such as search result redirection, replacing advertisements, or installing drive-by downloads."